Safety-related switching device

ABSTRACT

The invention relates to a safety-related switching device (10) which is equipped with an electromagnetic coil (12), a control unit (20) and a first switching means (22). The first switching means (22) is designed to activate and deactivate the electromagnetic coil (12). Moreover, the first switching means (22) is designed to receive a coil control signal (24), a monitoring signal (32) and a first higher-level control signal (26). The safety-related switching device (10) also has a receiver unit (40) for receiving an external control signal (29). The receiver unit (40) is designed to generate the first higher-level control signal (26) and a second higher-level control signal (28) from the external control signal (29). The control unit (20) is designed to receive the second higher-level control signal (28).

The invention relates to a safety-related switching device and anassociated operating method. The invention also relates to a computerprogram product by means of which the inventive operating method isimplemented in a safety-related switching device. The invention furtherrelates to a switching system in which the claimed safety-relatedswitching device is used.

US 2011/0169345 A1 (Omron Corporation, JP) Jul. 14, 2011 discloses acontrol system for an electric motor, said control system beingconnected to a programmable logic controller (PLC) and a door switch.The control system also has two contactors, which are triggeredseparately by the door switch and the PLC. The PLC further monitors theswitching operation of one of the two contactors, said switchingoperation being initiated by the door switch. The control systemaccording to US 2011/0169345 A1 is intended to satisfy the requirementsof Safety Category 2 according to ISO 13849-1.

The solutions known from the prior art have the disadvantage that theycomprise a large number of individual components with considerablewiring expense. Moreover, there exists in the field of automationengineering a requirement for a switching device and a switching systemwhich offer a high degree of safety, are simultaneously easy andeconomical to manufacture, and allow ease of installation.

The object of the invention is to provide a safety-related switchingdevice which overcomes the aforementioned disadvantages of the prior artand, in a simple manner, offers a high degree of safety within themeaning of the relevant standards.

The object is achieved by a safety-related switching device comprising amagnetic coil by means of which a load circuit, e.g. a power supply ofan electric motor, can be opened and closed. The inventivesafety-related switching device also has a control unit which issuitable for receiving, evaluating and sending signals. Thesafety-related switching device further comprises a first switchingmeans, which is designed to activate and deactivate the magnetic coildirectly. The activation and deactivation of the magnetic coil in thiscase takes place as a function of signals which are received by thefirst switching means. According to the invention, the first switchingmeans is designed to receive a coil control signal which is generated bythe control unit or whose generation is initiated by the control unit.The first switching means is likewise designed to receive a monitoringsignal, by means of which it is possible to detect a deviation of thecontrol unit from a normal operating state. Furthermore, the firstswitching means receives a first higher-level control signal. Thesafety-related switching device also has a receiver unit, which isdesigned to receive an external control signal that is sent from acontrol entity at a higher level than the safety-related switchingdevice. The receiver unit is designed to generate the first and secondhigher-level control signals from the external control signal and tosupply said signals to the first switching means or the control unitrespectively; the receiver unit is therefore designed to generate thefirst higher-level control signal, which is forwarded to the firstswitching means, and a second higher-level control signal, which is sentto the control unit, from the external control signal. A correspondingpreparation of the external signal is performed by the receiver unit,such that the first and/or second higher-level control signal isforwarded in a suitable format to the control unit or the firstswitching means respectively. The first and second higher-level controlsignals can be designed to be identical or complementary to each otherin this case, such that the second higher-level control signal can bederived unambiguously from the first higher-level control signal.Conversely, the first higher-level control signal can also beunambiguously derivable from the second higher-level control signal.This means that the external control signal is captured and processed bythe receiver unit using multiple channels. Moreover, the control unit isdesigned to receive the second higher-level control signal.

The first switching means is designed to logically associate the coilcontrol signal, the monitoring signal and the first higher-level controlsignal and, on the basis of the logical association, to determinewhether the magnetic coil must be activated. If at least one of thesignals received by the first switching means requires a deactivation ofthe magnetic coil, a deactivation signal is sent to the magnetic coil.

By means of the association of the coil control signal, the monitoringsignal and the first higher-level control signal, an erroneousactivation signal is prevented from being sent to the magnetic coil innumerous operating scenarios. A high degree of safety for the operationof the magnetic coil is thereby achieved. The first higher-level controlsignal is therefore confirmed in the first switching means by the coilcontrol signal from the control unit. This in turn is confirmed by thepresence of the monitoring signal which, in the normal operation of thesafety-related switching device, shows a normal operating state of thecontrol unit. The safety-related switching device therefore refers tosignals which are generated for other functions in a safety-relatedswitching device. Therefore a reliable and correct activation ordeactivation of the magnetic coil is achieved by the first switchingmeans, even in the event of a failure of components in thesafety-related switching device. Additional wiring, via which externalsignals are sent to the safety-related switching device, is unnecessaryin the inventive solution. This allows simpler installation of thesafety-related switching device in an automation system.

The receiver unit allows a single-channel signal from the higher-levelcontrol entity to be supplied to the safety-related switching device ina suitable manner. Use of the second higher-level control signal thusensures the dual-channel postprocessing of a single-channel externalcontrol signal. If two channels are used, a fault tolerance of one isachieved for the purpose of triggering by an external higher-levelcontrol entity. If the multiplicity of channels is increased, a higherfault tolerance is realized accordingly.

In a preferred embodiment of the safety-related switching device, thereceiver unit and the first switching means are directly connectedtogether, preferably via a signal line, for the purpose of transferringthe first higher-level control signal from the receiver unit to thefirst switching means. This means that the first higher-level controlsignal can be transferred directly, i.e. without passing through furtherpostprocessing units and processes, from the receiver unit to the firstswitching means.

In a preferred embodiment of the safety-related switching device, thecontrol unit is designed to initiate sending of the coil control signalor generation of the coil control signal on the basis of the receivedsecond higher-level control signal. In addition to the secondhigher-level control signal, a configuration data record and/orparameter record which is stored in the control unit can also be takeninto account when generating the coil control signal. For example, theconfiguration data record and/or parameter record includes informationabout the class of size of the safety-related switching device and/orencoding information for the coil control signal. The secondhigher-level control signal is used to ensure the consistency of thesignals received by the first switching means.

In a preferred embodiment of the safety-related switching device, thisis equipped with a second switching means. The second switching meansforms a controlled freewheeling circuit and is connected to the controlunit and the magnetic coil. The power supply of the magnetic coil iscontrolled via the freewheeling circuit by means of the control unit. Bythis means, the principle of a controlled freewheeling circuit isrealized. The second switching means is coupled to the control unit andis suitable for interrupting the power supply of the magnetic coil via adeactivation instruction. The functioning of the first switching meanscan be monitored in turn by the second switching means in thefreewheeling circuit. Likewise, the functioning of the second switchingmeans can be monitored by the first switching means. If e.g. due to afault in the first switching means, contrary to the coil control signal,the monitoring signal and/or the first higher-level control signal, thefirst switching means continues to instruct an activation of themagnetic coil, this is counteracted by the second switching means. Inparticular, this prevents a fault of an individual component, e.g. thefirst switching means, from resulting in a failure of the safety-relatedswitching device overall. The second switching means is therefore partof a controlled freewheeling circuit and serves as a redundant cutoffelement.

In a further embodiment of the invention, the receiver unit can also bedesigned such that the first and second higher-level control signals arealready contained separately in the external control signal, andtherefore a dual-channel external control signal is present. Thiscreates a connection to the higher-level control entity which is bothsimple and effective in respect of safety, and counteracts theoccurrence of fault conditions during the operation of the magneticcoil. The safety that can be achieved by the claimed switching device isalso increased thereby.

In a further advantageous embodiment of the claimed invention, the firstswitching means is designed to deactivate the magnetic coil if at leastone of the incoming signals, i.e. the first higher-level control signal,the coil control signal or the monitoring signal, prescribes a coildeactivation. The inventive safety-related switching device is based oncorrectly identifying a fault condition that occurs in at least one ofthe components of the safety-related switching device or in thehigher-level control entity and initiating a correspondingcountermeasure. The use of the first higher-level control signal as acriterion for deactivating the magnetic coil uses the safety-relatedcapabilities of the higher-level control entity. The control unit isable to evaluate a multiplicity of safety-relevant information and toinfluence the magnetic coil via the coil control signal in asafety-related manner. The monitoring signal as a deactivation criterionfor the magnetic coil allows the resilience of the watchdog to be usednot only for the safe operation of the control unit, but also for thedirect activation or deactivation of the magnetic coil. A deactivationof the magnetic coil can be initiated by a corresponding logicalassociation of the first higher-level control signal, the coil controlsignal and the monitoring signal using simple and reliable components.The invention overall offers a significant increase in safety at thesame time as reduced material expense.

Alternatively, the inventive safety-related switching device can alsohave an auxiliary control unit which monitors the functional capabilityof the control unit. The auxiliary control unit preferably has the samestructural format as the control unit.

A second switching means, which is also used to deactivate magneticcoil, can additionally be assigned to the safety-related switchingdevice. The second switching means can be actuated independently of thefirst switching means, and coupled to the control unit via a separatefreewheeling circuit. In normal operation, the current strength iscaptured by means of a measuring device and the measured data isforwarded to the control unit. A reference value for the currentstrength that must be present in the magnetic coil is stored in thecontrol unit. The reference value is independent of the structural sizeof the safety-related switching device in this case, and can be set bymeans of e.g. parameterization in the control unit. A selectabletolerance value is also stored in the control unit, and can be takeninto account when comparing the reference value with the measured datafrom the measuring device. If the magnitude of the current strength thatis present in the magnetic coil differs from the reference value by morethan the selectable tolerance value, a critical state of the magneticcoil is identified, e.g. an overcurrent or an undercurrent. If acritical state of the magnetic coil is identified, an instruction fromthe control unit actuates the second switching means such that themagnetic coil is deactivated by interrupting the power supply thereof.By virtue of the freewheeling circuit comprising the second switchingmeans, the control unit has an additional means for deactivating themagnetic coil.

By virtue of the freewheeling circuit, the control unit is able toactuate the second switching means in addition to the first switchingmeans in order to deactivate the magnetic coil. A redundant means ofdeactivating the magnetic coil is provided thereby. As a consequence,the actuation safety of the safety-related switching device is furtherincreased.

In a specifically preferred embodiment of the invention, the first orsecond switching means in each case comprises a semiconductor switch, inparticular a transistor, e.g. an IGBT (Insulated Gate BipolarTransistor) or a MOSFET (Metal Oxide Semiconductor Field EffectTransistor), and/or at least one logic module. These are simple,reliable and cost-efficient electronic components which allowparticularly economical manufacture of the safety-related switchingdevice.

A pulse-width modulation signal (PWM signal) adopts a high state and alow state alternately. The transition between the high state and the lowstate takes place at a frequency which is interpreted by the firstswitching means as an activation signal to the magnetic coil. This isachieved by using the response delay of a logic module, for example. Thecoil control signal can therefore be designed as a functional element ofan existing PWM signal, such that a separate path for the coil controlsignal is unnecessary. Additionally or alternatively, the monitoringsignal can be designed as an output signal of a watchdog which isconnected to the control unit. The use of the monitoring signal for thefirst switching means therefore requires only minimal material expense.This likewise increases the simplicity and hence resilience and economicviability of the inventive safety-related switching device. Moreover, alonger repeat test interval of up to one month can be achieved.

In a further preferred embodiment of the invention, the magnetic coil isused to open and close a load circuit which carries a power of 50 kW to750 kW. The inventive safety-related switching device is therefore alsosuitable for correspondingly large magnetic coils requiring a higherlevel of driving power. The inventive safety-related switching device isreadily adaptable to a wide range of intended uses and offers a highdegree of resilience.

The object of the invention is also achieved by an operating method fora safety-related switching device comprising a magnetic coil by means ofwhich a load circuit is interrupted or closed respectively. Thesafety-related switching device has a control unit and a first switchingmeans, by means of which the following method steps are performed:

In a first method step, a first higher-level control signal which issent from a higher-level control entity to the safety-related switchingdevice is received by the first switching means. In a further methodstep, a coil control signal which is generated and sent indirectly ordirectly from the control unit is received by the first switching means.In a further method step, a monitoring signal which is generated by awatchdog is also received by the first switching means. The watchdog isconnected to the control unit and monitors the normal functioningthereof. The monitoring signal shows whether a normal state of thecontrol unit is present. In a further method step the first switchingmeans registers whether at least one of the received signals prescribesa deactivation of the magnetic coil. If at least one of the receivedsignals, i.e. the first higher-level control signal, the monitoringsignal or the coil control signal exhibits a state which requires adeactivation of the magnetic coil, a deactivation instruction is sentfrom the first switching means to the magnetic coil. During theoperating method, the control unit receives a second higher-levelcontrol signal in a further method step and initiates the correspondingcoil control signal to the first switching means. In this case, thefirst and second control signals are generated from an external controlsignal in a further method step by a receiver unit of the safety-relatedswitching device.

In the inventive operating method, the steps in which the firsthigher-level control signal, the coil control signal and the monitoringsignal are received by the first switching means can be performedessentially simultaneously. The evaluation of the signals arriving atthe first switching means can be performed quickly and reliably onsimple hardware. A temporal coordination of the signals is not required,and therefore the first higher-level control signal, the coil controlsignal and the monitoring signal can be adapted to their other functionsin respect of timing. The inventive operating method offers an increasein safety, said increase requiring no disadvantageous modification ofthe signals used. The claimed operating method can therefore be realizedby means of a simple upgrade of existing hardware.

In a preferred embodiment of the inventive operating method, the firsthigher-level control signal is transferred from the receiver unitdirectly to the first switching means.

In a specifically preferred embodiment of the inventive operatingmethod, in an additional method step, a current flow through themagnetic coil is captured by means of a measuring device. The capture ofthe current flow preferably takes place cyclically during operation. Ifthe captured current flow in the magnetic coil differs from a settablereference value, a deactivation instruction is sent from the controlunit to the first and/or second switching means in order thereby tointerrupt the power supply of the magnetic coil. As a result of theadditional method steps described, it is ensured that a deactivationinstruction is successfully implemented by at least one of the availableswitching means in the event of a fault.

The inventive operating method is based on a minimum of signals in thiscase, said signals being routinely generated in switching devices. As aresult of the simplicity of the inventive operating method, it canreadily be implemented on hardware having limited computing power.Overall, a high degree of operational safety for a safety-relatedswitching device is achieved with reduced expense in terms of hardwareand firmware.

The object of the invention is also achieved by a computer programproduct which is suitable for storage and execution on a control unit ina corresponding safety-related switching device. The computer programproduct is inventively designed to perform at least one of the operatingmethods cited above in one of the safety-related switching devicesdescribed above.

The object of the invention is also achieved by an inventive switchingsystem which is designed to open or close a load circuit. The switchingsystem comprises a higher-level control entity for this purpose, e.g. astored program control or a safety switching device, which is configuredto output a single-channel or a dual-channel external control signal.The higher-level control entity is connected to two safety-relatedswitching devices for this purpose, such that the switching system has ahardware-fault tolerance of at least one. The at least twosafety-related switching devices reciprocally represent thecorresponding reserve device in each case. If one of the twosafety-related switching devices fails, e.g. as a result of contactsticking, the other safety-related switching device respectively is ableto perform a safe deactivation of the load circuit. The principle of adual-channel structure is thereby realized in the inventive switchingsystem. The safety-related switching devices in the claimed switchingsystem are designed in each case according to one of the above describedembodiments of the claimed safety-related switching device. Theinventive switching system overall has a Safety Integrity Level of up toSIL3, a Performance Level of up to PLe and a Safety Category of up to 4.The SIL Claim Limit of the inventive switching system is up to SIL CL3.

The invention is described in greater detail below with reference toindividual exemplary embodiments, wherein:

FIG. 1 shows the structure of an embodiment of the inventivesafety-related switching device;

FIG. 2 shows the sequence of an embodiment of the inventive operatingmethod;

FIG. 3 shows the structure of an embodiment of the inventive switchingsystem.

FIG. 1 schematically illustrates the structure of an embodiment of theinventive safety-related switching device 10, this being connected to aload circuit 50. The power supply of the safety-related switching device10 is effected via a mains supply 11, which provides inter alia thecurrent for the operation of the individual components in thesafety-related switching device 10. The mains supply 11 is connected toa rectifier 18 and a multistage voltage level adjustment. The adjustedvoltage levels are monitored by means of voltage measuring devices 17and the measurement result is forwarded to a control unit 20. The mainssupply 11 is further coupled to a voltage sensor 21, whose measurementsare used to define the pulse width modulation of the coil control signal24.

The safety-related switching device 10 has a magnetic coil 12, which isconfigured to perform an electromagnetic actuation of a mechanicalcoupling 15 to switching contacts 14, these being shown symbolically.The switching contacts 14 are part of the load circuit 50, in which asignificantly higher current is carried than in the switching device 10itself. The switching contacts 14 in the load circuit 50 interact withauxiliary contacts 16, which are used to report the switching state ofthe switching contacts 14. The magnetic coil 12 can be activated anddeactivated via a first switching means 22, this comprising an IGBT 34.The first switching means 22 is connected to a signal generator 37,which can be triggered by the control unit 20. The control unit 20 isdesigned as a microcontroller and is suitable for outputting a signal 31which is converted into the coil control signal 24 by the signalgenerator 37. The coil control signal 24 is a pulse-width modulatedsignal (PWM signal), by means of which it is possible to set theretention force generated by the magnetic coil 12. The first switchingmeans 22 is configured to receive the coil control signal 24 and toregister therefrom whether activation of the magnetic coil 12 isinstructed or not. The first switching means 22 is also designed toreceive a first higher-level control signal 26, which reaches thesafety-related switching device 10 via a receiver unit 40. Thehigher-level control signal 26 is generated by a higher-level controlentity 62 which is not illustrated in greater detail. Furthermore, thefirst switching means 22 is configured to receive a monitoring signal32, this being sent by a watchdog 30. The watchdog 30 is coupled to thecontrol unit 20. The monitoring signal 32 shows in a binary mannerwhether correct operation of the control unit 20 is present.

The first switching means 22 checks the incoming coil control signal 24,the first higher-level control signal 26 and the monitoring signal 32 inorder to determine whether one of these signals prescribes adeactivation of the magnetic coil 12. The check is effected by means ofa suitable logical association of the signals 24, 26, 32 in this case.If at least one of the signals 24, 26, 32 indicates that a deactivationof the magnetic coil 12 is required, a deactivation instruction 25 issent from the first switching means 22 to the magnetic coil 12.Furthermore, the control unit 20 is designed to receive a secondhigher-level control signal 28. The first and second higher-levelcontrol signals 26, 28 belong to a dual-channel external control signal29 that is sent by the higher-level control entity 62, which is notshown in greater detail but is connected to the safety-related switchingdevice 10 via the receiver unit 40. By means of the receiver unit 40,the first and second higher-level control signals 26, 28 from theexternal control signal 29 are supplied in a suitable format for thesafety-related switching device 10. The control unit 20 able to checkthe consistency of the present actuation status of the magnetic coil 12using the external control instruction 29.

The control unit 20 is also connected to a measuring device 38 whichsends measured data 39. The measured data 39 includes a variable whichshows the operating state of the power supply of the magnetic coil 12.The corresponding variable in the measured data 39 is compared with asettable reference value in the control unit 20. The reference value isset by a data record 42 which includes a configuration data recordand/or a parameter record. If the captured variable differs in magnitudeby more than a selectable tolerance value from the settable referencevalue, the control unit 20 identifies an abnormal state in the powersupply of the magnetic coil 12. The tolerance value can also be set viathe data record 42. If an abnormal state of the power supply of themagnetic coil 12 is identified, the control unit 20 sends a cutoffinstruction 27 to a second switching means 23. At the same time, thecontrol unit 20 sends a corresponding cutoff instruction to the firstswitching means 22 in the form of a corresponding signal 31 to thesignal generator 37. The captured variable is e.g. a current strength ofthe power supply of the magnetic coil 12. The second switching means 23is arranged in a freewheeling circuit 33 and is suitable for switchingthe magnetic coil 12 to no-load. The second switching means 23 comprisesa semiconductor switch 34 for this purpose. The isolation of the powersupply of the magnetic coil 12 is effected by means of a deactivationinstruction 25 from the second switching means 23.

Using the measured data 39 of the measuring device 38, the control unit20 is able to verify the successful implementation of a deactivationinstruction 25 that has been output by the first switching means 22. Ifafter a deactivation instruction 25 has been output by the firstswitching means 22, a variable (e.g. the current strength) that iscaptured by the measuring device 38 indicates an actuation, i.e. anactive state of the magnetic coil 12, the control unit 20 is designed tosend a corresponding cutoff instruction 27 to the second switching means23. In the second switching means 23, the cutoff instruction 27 from thecontrol unit 20 is converted into a corresponding deactivationinstruction 25, by means of which the magnetic coil 12 is switched tono-load. The freewheeling circuit 33 comprising the second switchingmeans 23 therefore provides a fallback facility in the event thatcorrect deactivation of the magnetic coil 12 cannot be guaranteed viathe first switching means 22 alone. The safety-related switching device10 alone offers a Safety Integrity Level of up to SIL2, a PerformanceLevel of up to PLc and a Safety Category of up to 2. Furthermore, theSIL Claim Limit of the safety-related switching device 10 has a SILClaim Limit of up to SIL CL2.

FIG. 2 schematically shows the sequence of an operating method 100 for asafety-related switching device 10 which is not illustrated in greaterdetail, said switching device 10 being configured to open or close aload circuit 50. In a first method step 110, a first higher-levelcontrol signal 26 that is sent from a higher-level control entity 62 isreceived by a switching means 22 in the safety-related switching device10. In a further method step 120, which takes place essentially inparallel with the first method step 110, a coil control signal 24 thatis generated by a control unit 20 of the safety-related switching device10 is received by the first switching means 22. Furthermore, in a thirdmethod step 130, which takes place at essentially the same time as thefirst and second method steps 110, 120, a monitoring signal 32 isreceived by the first switching means 22. The monitoring signal 32represents the report of function monitoring for the control unit 20.For this purpose, the control unit 20 is monitored by a watchdog 30 inorder to determine whether it continues to function normally. Themonitoring signal 32 shows in a binary manner whether a normal operatingstate of the control unit 20 is present. In a fourth method step 140following thereupon, the available signals, i.e. the first higher-levelcontrol signal 26, the coil control signal 24 and the monitoring signal32 are checked in order to determine whether at least one of themindicates that a deactivation of the magnetic coil 12 required. This isthe case, for example, if isolation of the load circuit 50 is instructedby the first higher-level control signal 26. In addition oralternatively, deactivation of the magnetic coil 12 is required if aninstruction from the control unit 20 prescribes an isolation of the loadcircuit 50 or if the monitoring signal 32 indicates that the controlunit 20 is not working normally.

Depending on the result of the fourth method step 140, a first branch145 of the operating method 100 takes place. If at least one of thesignals 24, 26, 32 prescribes a deactivation of the magnetic coil 12, adeactivation instruction 25 is output to the magnetic coil 12 by thefirst and second switching means 22, 23 in a fifth method step 150.After the resulting isolation of the load circuit 50, a stable end state200 is established.

If all signals 24, 26, 32 continue to require an activation of themagnetic coil 12, a sixth method step 160 takes place in which a currentflow through the magnetic coil 12 is captured by means of a measuringdevice 38. In the sixth method step 160, the captured current flow iscompared with a settable reference value. Depending on the result of thecomparison between the settable reference value and the captured currentflow, a second branch 165 of the inventive method 100 takes place. If anevaluation of the comparison in the step 160 reveals that thesafety-related switching device 10 is operating correctly, the methodreturns 166 to the initial state in the first method step 110.

If the comparison in the sixth method step 160 reveals that the state ofthe switching device 10 is abnormal, a seventh method step 170 follows.In this step, the control unit 20 causes a deactivation instruction 25to be output from the first and second switching means 22, 23 to themagnetic coil 12. An isolation of the load circuit 50 is producedthereby, resulting in a stable end state 200.

FIG. 3 illustrates the structure of an inventive switching system 60,having a higher-level control entity 62 which is used to open and closea load circuit 50. The load circuit 50 is shown by way of example as athree-phase power supply. The higher-level control entity 62 has acommunication connection to two safety-related switching devices 10,these being designed to interrupt the load circuit 50 independently ofeach other. A computer program product 80 is stored in each of thesafety-related switching devices 10, and is designed in each case toimplement the inventive operating method 100 on the safety-relatedswitching devices 10. The safety-related switching devices 10 aretriggered separately by the higher-level control entity 62 via externalcontrol signals 29, said external control signals 29 comprising a firstand a second higher-level control signal 26, 28 in each case. Theexternal control signals 29 are received by a receiver unit 40, whichsupplies the first and second higher-level control signals 26, 28 to thesafety-related switching devices in a suitable format in each case. Inthe safety-related switching devices 10, the switching state of theswitching contacts 14 that open and close the load circuit 50 isreported back separately in each case by means of auxiliary contacts 16to the higher-level control entity 62. By serially combining the twosafety-related switching devices 10, a hardware-fault tolerance of oneis achieved in the inventive switching system 60. The switching system60 also has a Safety Integrity Level of up to SIL 3 and a PerformanceLevel of up to PLe. Furthermore, the switching system 60 according toFIG. 3 has a Safety Category of 4.

1. A safety-related switching device comprising: a magnetic coil; acontroller; and a first switching device configured to: activate anddeactivate the magnetic coil; and receive a coil control signal, amonitoring signal, and a first higher-level control signal, wherein thesafety-related switching device has a receiver unit for receiving anexternal control signal, the receiver unit being configured to generatethe first higher-level control signal and a second higher-level controlsignal from the external control signal, wherein for transferring thefirst higher-level control signal from the receiver unit to the firstswitching device, the receiver unit and the first switching device aredirectly connected together, and wherein the controller is configured toreceive the second higher-level control signal and to initiate a sendingof the coil control signal based on the received second higher-levelcontrol signal.
 2. (canceled)
 3. (canceled)
 4. The safety-relatedswitching device claim 1, wherein the safety-related switching devicehas a second switching device that forms a freewheeling circuit, thefreewheeling circuit being connected to the controller and beingconfigured to activate and deactivate the magnetic coil.
 5. Thesafety-related switching device claim 1, wherein the first switchingdevice is configured to deactivate the magnetic coil when a coildeactivation is prescribed at least by the first higher-level controlsignal, the coil control signal or the monitoring signal.
 6. Thesafety-related switching device of claim 4, wherein the second switchingdevice is configured to deactivate the magnetic coil when a currentstrength that is present in the freewheeling circuit differs inmagnitude by more than a selectable tolerance value from a referencevalue.
 7. The safety-related switching device of claim 1, wherein thefirst switching device comprises a semiconductor switch, at least onelogic module, or the semiconductor switch and the at least one logicmodule.
 8. The safety-related switching device of claim 1, wherein thecoil control signal takes the form of a pulse-width modulation signal,the monitoring signal takes the form of an output signal of a watchdogthat is connected to the controller, or a combination thereof.
 9. Thesafety-related switching device of claim 4, wherein the second switchingdevice comprises a semiconductor switch, at least one logic module, orthe semiconductor switch and the at least one logic module.
 10. Thesafety-related switching device of claim 1, wherein a load circuitcarrying a power from 50 kW to 750 kW is interruptible by the magneticcoil.
 11. An operating method for a safety-related switching device forswitching a load circuit by a magnetic coil, wherein the safety-relatedswitching device has a controller and a first switching device, theoperating method comprising: receiving a first higher-level controlsignal at the first switching device; receiving a coil control signal atthe first switching device, wherein sending of the coil control signalis initiated by the controller; receiving a monitoring signal at thefirst switching device, wherein the monitoring signal is sent by awatchdog that monitors the controller; sending a deactivationinstruction from the first switching device to the magnetic coil when,in the receiving of the first higher-level control signal, the receivingof the coil control signal, the receiving of the monitoring signal, orany combination thereof, a signal that prescribes a deactivation of themagnetic coil is received; receiving, by the controller, a secondhigher-level control signal and initiating the corresponding coilcontrol signal to the first switching device, wherein the firsthigher-level control signal and the second higher-level control signalare generated from an external control signal by a receiver unit, andwherein the first higher-level control signal is transferred directlyfrom the receiver unit to the first switching device.
 12. (canceled) 13.The operating method claim 11, further comprising: capturing a currentflow through the magnetic coil by a measuring device after expiry of aselectable time duration; and sending a deactivation instruction to thefirst switching device, the second switching device, or the firstswitching device the second switching device to interrupt a power supplyof the magnetic coil when the current flow captured in the capturingdiffers from a settable reference value.
 14. A switching system forswitching a load circuit, the switching system comprising: ahigher-level control entity configured to output a single-channel ordual-channel external control signal, wherein the switching system has ahardware fault tolerance of at least one and is connected to twosafety-related switching devices, each of the two safety-relatedswitching devices comprising a magnetic coil, a controller, and a firstswitching device, the first switching device being configured toactivate and deactivate the magnetic coil and receive a coil controlsignal, a monitoring signal, and a first higher-level control signal,wherein the safety-related switching device has a receiver unit forreceiving an external control signal, the receiver unit being configuredto generate the first higher-level control signal and a secondhigher-level control signal from the external control signal, whereinfor transferring the first higher-level control signal from the receiverunit to the first switching device, the receiver unit and the firstswitching device are directly connected together, and wherein thecontroller is configured to receive the second higher-level controlsignal and to initiate a sending of the coil control signal based on thereceived second higher-level control signal.
 15. In a non-transitorycomputer-readable storage medium that stores instructions executable bya control unit of a safety-related switching device to operate asafety-related switching device for switching a load circuit by amagnetic coil, wherein the safety-related switching device has acontroller and a first switching device, the instructions comprising:receiving a first higher-level control signal at the first switchingdevice; receiving a coil control signal at the first switching device,wherein sending of the coil control signal is initiated by thecontroller; receiving a monitoring signal at the first switching device,wherein the monitoring signal is sent by a watchdog that monitors thecontroller; sending a deactivation instruction from the first switchingdevice to the magnetic coil when, in the receiving of the firsthigher-level control signal, the receiving of the coil control signal,the receiving of the monitoring signal, or any combination thereof, asignal that prescribes a deactivation of the magnetic coil is received;receiving, by the controller, a second higher-level control signal andinitiating the corresponding coil control signal to the first switchingdevice, wherein the first higher-level control signal and the secondhigher-level control signal are generated from an external controlsignal by a receiver unit, and wherein the first higher-level controlsignal is transferred directly from the receiver unit to the firstswitching device.
 16. The safety-related switching device of claim 7,wherein the first switching device comprises the semiconductor switch,the semiconductor switch being an IGBT or a MOSFET.
 17. Thesafety-related switching device of claim 9, wherein the second switchingdevice comprises the semiconductor switch, the semiconductor switchbeing an IGBT or a MOSFET.